File name:

WeGameMiniLoader.std.5.12.21.1022.exe

Full analysis: https://app.any.run/tasks/bbe13f1c-9dbc-4701-9008-a47b236aa2b1
Verdict: Malicious activity
Analysis date: July 13, 2024, 22:02:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qrcode
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2C337EC80626CE49CA4380EAD23AEDF6

SHA1:

A840D90EFE74A00DAEC2B4470F09A4836E23F308

SHA256:

5BA8182417D0F72FF509B22C0E20110D856321F754E69B7F299D497D73704BB3

SSDEEP:

98304:6eYdOmsTpn0v+Ae1YDYW5HRKvSbRqba2pbc8ul+kWh0QxpI4SRzm9mL/fwGF6uOh:xtBYnawVQcqy2P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)

    • The process creates files with name similar to system file names

      • TinyDL.exe (PID: 3124)

    • Drops 7-zip archiver for unpacking

      • TinyDL.exe (PID: 3124)

    • Drops a system driver (possible attempt to evade defenses)

      • TinyDL.exe (PID: 3124)

    • Process drops legitimate windows executable

      • TinyDL.exe (PID: 3124)

    • The process drops C-runtime libraries

      • TinyDL.exe (PID: 3124)

  • INFO

    • Reads the computer name

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Checks supported languages

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Creates files or folders in the user directory

      • WeGameMiniLoader.exe (PID: 2748)
      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)
      • TinyDL.exe (PID: 3124)

    • Creates files in the program directory

      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Reads the machine GUID from the registry

      • WeGameMiniLoader.exe (PID: 2748)
      • TinyDL.exe (PID: 3124)

    • Create files in a temporary directory

      • WeGameMiniLoader.std.5.12.21.1022.exe (PID: 3208)

    • Manual execution by a user

      • explorer.exe (PID: 3080)
      • explorer.exe (PID: 324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:11:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27648
InitializedDataSize: 122880
UninitializedDataSize: 1024
EntryPoint: 0x396c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.12.21.1022
ProductVersionNumber: 5.12.21.1022
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Windows, Chinese (Simplified)
Comments: -
CompanyName: Tencent
FileDescription: -
FileVersion: 5.12.21.1022
LegalCopyright: -
LegalTrademarks: -
ProductName: WeGame
ProductVersion: 5.12.21.1022
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wegameminiloader.std.5.12.21.1022.exe wegameminiloader.exe tinydl.exe explorer.exe no specs explorer.exe no specs wegameminiloader.std.5.12.21.1022.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2748"C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe" C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe
WeGameMiniLoader.std.5.12.21.1022.exe
User:
admin
Integrity Level:
HIGH
Description:
WeGame下载器
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\wegame\wegameminiloader(55555)\wegameminiloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3080"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3124session=1 uid=0 parent="C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exe"C:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\tiny_dl\TinyDL.exe
WeGameMiniLoader.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Version:
1.0.3.0
Modules
Images
c:\users\admin\appdata\local\wegame\wegameminiloader(55555)\tiny_dl\tinydl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
3208"C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe" C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\temp\wegameminiloader.std.5.12.21.1022.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3392"C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exe" C:\Users\admin\AppData\Local\Temp\WeGameMiniLoader.std.5.12.21.1022.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
5.12.21.1022
Modules
Images
c:\users\admin\appdata\local\temp\wegameminiloader.std.5.12.21.1022.exe
c:\windows\system32\ntdll.dll
Total events
3 519
Read events
3 519
Write events
0
Delete events
0

Modification events

No data
Executable files
653
Suspicious files
260
Text files
863
Unknown types
1

Dropped files

PID
Process
Filename
Type
3124TinyDL.exeC:\Program Files\WeGame\qbblinktrial\libcef.dll
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\data\json_db\base_game_oss.local
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\data\client_ui.vfs
MD5:
SHA256:
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\Minidown.inibinary
MD5:3AD97EC6C981FA842945065D3BFD89DF
SHA256:D0B9825E5625FC72584F15572A98522D3F6CF9EF5EEE3C4B27BD13B030F11754
3124TinyDL.exeC:\Program Files\WeGame\tpf_ui.vfs
MD5:
SHA256:
3124TinyDL.exeC:\Program Files\WeGame\apps\Pallas\lolguide\LOLRes.vfs
MD5:
SHA256:
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\res.zipcompressed
MD5:3D9EBDC1C81C496A2BB7E4CC4938B7DB
SHA256:4537544B2A23CF9225E7F7E46ED098BE1D474A1B86F84C2FBCDE9056050561F8
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\Temp\nsfEA7D.tmp\NSISPlugin.dllexecutable
MD5:362EDDF4162293770BCFF8FA9BFABB7F
SHA256:F2B73BA3CA42DD9097727F6E0AABFA63B566C2D78BE0D41791D72C6D16240D78
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\bugreport.initext
MD5:27EC1E105337C0AD4BDDB8F2A9551F6C
SHA256:ED60CA6895464814F9E5BC132F41645630CC785FAE9FC7DA6362B5690B3A97CD
3208WeGameMiniLoader.std.5.12.21.1022.exeC:\Users\admin\AppData\Local\WeGame\WeGameMiniLoader(55555)\WeGameMiniLoader.exeexecutable
MD5:77159A76C4B8BDAEF68E936D9AAD6732
SHA256:C6FD4A9A35C2EA4CEFA54524F88BC488712AB20059AE58B9E83FFDBFA5DA0AEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3 059
TCP/UDP connections
26
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/manifest/10974_3198251187778410138_0.wgj
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/b2/b227c06ba70bf6f69ac36364c4e58ae18d5df22258c3ea3739462886f4f66b06.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/46/46a8c93c85cb8b8c68f3a4bb54086276d884409c5cf323c50094218299882956.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/bc/bcfca5c4280707efa2606b74335b175ab834f547e50bd1cda28dc46dee9b9cd2.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/de/de83d2c6c07dd4f7e9702ea38cbee93b304d7947eda8265a71f8c3b80e405c26.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/6f/6f6ef7179a02d7923b400b3fda9c90369b97fb54be8d9ce13792958249f289ca.wgc
unknown
whitelisted
3124
TinyDL.exe
GET
200
43.152.29.15:80
http://down.qq.com/tgc/iwerepository/rid.10974-r.d9cf0/chunks/73/733aa8390cf2ff33f6f00d51528151187497c76f95950e19471995bc89d09be2.wgc
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2748
WeGameMiniLoader.exe
116.130.229.213:8000
ied-tqos.qq.com
unknown
2748
WeGameMiniLoader.exe
49.51.20.228:443
www.wegame.com.cn
Tencent Building, Kejizhongyi Avenue
CA
unknown
3124
TinyDL.exe
49.51.20.228:443
www.wegame.com.cn
Tencent Building, Kejizhongyi Avenue
CA
unknown
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
ied-tqos.qq.com
  • 116.130.229.213
whitelisted
www.wegame.com.cn
  • 49.51.20.228
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
down.qq.com
  • 43.152.29.15
  • 43.152.29.20
  • 43.152.137.29
whitelisted

Threats

No threats detected
Process
Message
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] TQos Server Address: , Port: 0, TQos ID: 0
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] Create TQos API Handle Error: tqos_get_qosconnd_iplist fail
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] TQos Server Address: , Port: 0, TQos ID: 0
WeGameMiniLoader.std.5.12.21.1022.exe
[NSISPlugin][TQosReport] Create TQos API Handle Error: tqos_get_qosconnd_iplist fail
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeGameMiniLoader.std.5.12.21.1022.exe